Comment by shafyy
3 years ago
Ok, but: "US authorities do not have direct access to your server or its content in the EU. US authorities have to comply with the regulations of the EU legislation.".
So, because Hetzner is not owned by a US company, stuff like the CLOUD act doesn't apply to them. So, if you have a contract with the German entity of Hetzner and use a German server, you should be fine in terms of GDPR.
I think it depends on how you read the Schrems II ruling and how you read Hetzners words.
Any of the big cloud providers can claim that they comply with EU legislation, but they also have to comply with US-legislation and if 3-letter agency wants to have some data from one of their subsidiaries in EU, then they can/will decide which contract to breach.
I read Hetzners statements as being that they can no longer guarantee that they will not be forced to do the same - but that can be my reading of their statement that is wrong.
If I already had them as hosting-partner for a solution that fell under Schrems II, I would have them confirm this, to be sure.
But what does "direct" mean here? Indirect could still be ordering them to give US authorities data and to keep silent about being ordered. Maybe (hopefully) that would be against EU regulations?
Lots of EU countries have their intelligence agencies doing close cooperation with five eyes (NSA and equivalent agencies of the smaller countries) and willing to turn a blind eye or actively collude in compromising security of IT infra in the EU. Or going further, a oft reported pattern is that when they want to spy on their own citizens but are forbidden by law, they ask the foreign allies to do the dirty work of spying on their soil and pass back the intelligence.
OK, be that as it may, in IT stuff, the question often becomes "Who is responsible?". If a state or its institutions violate the law, at least no one can blame you for GDPR violations, which you did not commit.
2 replies →